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CN ■ Abstract 

We consider the problem of approximating discrete-time plants with finite-valued sensors and actu- 



ators by deterministic finite memory systems for the purpose of certified-by-design controller synthesis. 
Building on ideas from robust control, we propose a control-oriented notion of finite state approximation 
for these systems, demonstrate its relevance to the control synthesis problem, and discuss its key features. 

1 Introduction 



m 
U 

■ High fidelity models that accurately describe a dynamical system are often too complex for use in controller 
I design. The problem of finding a lower complexity approximate model has thus been extensively studied and 

■ continues to receive much deserved attention. A model complexity reduction approach should ideally provide 
both a lower complexity model and a rigorous assessment of the quality of approximation, allowing one to 
quantify the performance of a controller designed for the lower complexity model and implemented in the 
original system. The problem of approximating hybrid systems by simpler systems has received considerable 

. attention recently [1,2 : In particular, finite state approximations of hybrid systems have been the object of 

intense study, due to the amenability of finite state models to control synthesis. Two frameworks have been 
QQ ■ systematically explored: 'Qualitative models' and 'simulation/bisimulation abstractions'. 

' 'Qualitative models' refers to non-deterministic finite automata whose input/output behavior contains 

CO ■ that of the original model. Control synthesis can be formulated as a supervisory control problem, addressed 

ly-^ I in the Ramadge-Wonham framework |10llll) . The results on qualitative models [Bj , qualitative reconstruction 

. from quantized observations ^9, and /-complete approximations [7j|8] fall in this category. These approaches 

typically address output feedback problems. 

'Simulation/bisimulation abstractions' collectively refers to a set of related approaches inspired by bisim- 
ulation in concurrent processes. These approaches ensure that the set of state trajectories of the original 
model is exactly matched by (bisimulation) , contained in (simulation), matched to within some distance 
e by (approximate bisimulation), or contained to within some distance e in (approximate simulation), the 
. set of state trajectories of the finite state abstraction [SjlTHIIl]. The performance objectives are typically 

formulated as constraints on the state trajectories of the original hybrid system, and controller synthesis 
is a two step procedure: A finite state supervisory controller is designed and subsequently refined to yield 
a certified hybrid controller for the original plant [T^. These approaches typically address state feedback 
problems. 

In our past research efforts, we proposed '/9//i gain' conditions to describe system properties, and pre- 
sented a corresponding set of tools for verifying performance and robustness |17j . We also showed that for 
deterministic finite state machines, we can systematically design feedback controllers to achieve specified 
p/^ gain conditions [TH]. We demonstrated the use of these tools and a particular approximation algo- 
rithm to synthesize finite state stabilizing controllers for switched homogeneous second order systems with 
binary sensors [16l[T8]. In this note, we formalize a control-oriented notion of finite state approximation 
for output feedback problems where the sensor information is coarse and actuation is finite valued. This 
notion is compatible with the developed analysis and synthesis tools, thus contributing to the development 
of a new framework for finite state machine based certified-by-design control. While the proposed notion 
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is inspired from robust control theory, the class of problems considered here poses unique challenges due to 
the lack of algebraic structure (input/output signals take their values in arbitrary sets of symbols) and the 
need to approximate both the dynamics and the performance objectives while appropriately quantifying the 
approximation error. 

Notation: M, Z_(_ and R+ denote the reals, non-negative integers and non-negative reals, respectively. 
Given a set A, denotes the set of all infinite sequences over A (indexed by Z+) and 2-^ denotes the 
power set of A. Elements of A and A^+ are denoted by a and (boldface) a, respectively. For a G A^+ , 
a{i) denotes its z*'' term. For f : A ^ B, C C B, f{A) = {6 G B\b = /(a) for some a e A} and 
f-\C) = {a G A\f{a) e C}. 

2 Preliminaries 

We briefly review some basic concepts: Readers are referred to il7j for a more detailed treatment. A 
discrete-time signal is understood to be an infinite sequence over some prescribed set (or 'alphabet'). 

Definition 1. A discrete-time system S is a set of pairs of signals, S C x , where U and y are 
given alphabets. 

A discrete-time system is thus a process characterized by its feasible signals set. This view of systems 
can be considered an extension of the graph theoretic approach [3] to include the finite alphabet setting. It 
also shares some similarities with Willems' behavioral approach [H], although we insist on differentiating 
between input and output signals upfront. In this setting, system properties of interest are captured by 
means of 'integral' constraints on the feasible signals. 

Definition 2. Consider a system S C x 3^^+ and let p :IA ^ M. and /i : [V — > M 6e given functions. S 
is p/fj, gain stable if there exists a finite non-negative constant 7 such that 

T 

li{ E w) - Kvit)) > (1) 

is satisfied for all (u,y) in S. 

In particular, when p and p are non-negative (and not identically zero), the 'gain' can be defined. 

Definition 3. Consider a system S C x . Assume that S is p/p gain stable for p : U ^ M+ and 

p '■ y ^ M+, and that neither function is identically zero. The p/p gain of S is the infimum of j such that 
(QJ) is satisfied. 

We are specifically interested in discrete-time plants with finite-valued actuators and sensors: 

Definition 4. A system over finite alphabets S is a discrete-time system S C {U x TVf'+ x (y x V)^+ whose 
alphabets lA and y are finite. 

Here, r G TZ^+ and u G represent the exogenous and control inputs to the plant, respectively, while 
V G and y G 3^^+ represent the performance and sensor outputs of the plant, respectively. The plant 
dynamics may be analog, discrete or hybrid. Alphabets TZ and V may be finite, countable or infinite. The 
approximate models of the plant will be drawn from a specific class of models: 

Definition 5. A deterministic finite state machine (DFM) is a discrete-time system S C x y'^+ with 
finite alphabets U, y , whose feasible input and output signals (u, y) are related by a state transition equation 
and an output equation: 

q{t + l) = f{q{t),u{t)), 
y{t) = g{q{t),u{t)) 

where t G q{t) G Q for some finite set Q and functions f : Q x U ^ Q and g : Q xlA ^ y . 
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Finally, we introduce the following notation for convenience: Given a system P C {U x TZ)^+ x {y x V)^+ 
and a choice of signals Uq G and yo G 3^^+, -P|uo.yo denotes the subset of feasible signals of P whose 
first component is Uq and whose third component is yo- That is 



P\u^,y. ^ (y,v)^ e P u = Uo and y = yoj 



Note that P|uo.yo may be an empty set for specific choices of Uq and yo- 



3 Control- Oriented Finite State Approximation 
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Figure 1: A finite state approximation of P 



In this section we develop a new, control-oriented notion of finite state approximation for systems over 
finite alphabets: We assume that the purpose of deriving a DFM approximation of a system P over finite 
alphabets is to simplify the process of synthesizing a controller K such that the closed loop system (P, K) 
is p//i gain stable with 7 = 1 for some given p and /i. 



3.1 Proposed Notion 

Definition 6 (Notion of DFM Approximation). Consider a system over finite alphabets P C {U x TZ)'^+ x 
{y X V)^+ and a desired closed loop performance objective 

T 

mf^^p(r(i))-M(«W)>-oo. (2) 

- t=o 

for given functions p : 7?. — 5- M and /it : V ^ M. A sequence {Mi}'^i of deterministic finite state machines 
Mi C {U X iZi X W)^+ X {y xVi X Z)^+ with iti C TZ and Vi CV is a p/fi approximation of P if there 
exists a corresponding sequence of systems {Ai}°^^, Ai C x W^+, and non- zero functions pA : 2 — s- R_|_, 
Pa ■ W — > M+ , such that for every index i: 

(a) There exists a surjective map ipi : P ^ Pi satisfying 

for all (u, y) € VF+ x y^+ , where P^ C (U x iZi)^+ x {y x Vi)^+ is the feedback interconnection of Mi 
and Ai as shown in Figurel^ 

(b) For every feasible signal ((u, r), (y, v)) G P, we have 

p{r{t)y p{v{t)) > p{h+i{t)) - p{n,+i{t)) > pin{t))- piv.it)), (3) 

for all te1+, where ((u, fi), (yi, Vi)) = ip, ( ((u, r), (y, v)) ) and ((u, n+i), (yi+i, Vi+i)) = tpi+i ( ((u, r), (y, v)) 
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(c) Ai is pi\l gain stable, and moreover, the corresponding pa/z^A gains satisfy 7^ > 7^+1. 



Remark 1. Note that in this setup, the dynamics of plant P as well as alphabet sets U and y are given 
(in practice, defined by the system and hardware). We also have no influence over the exogenous input r. 
In contrast, in addition to choosing Mi and A^, we are typically free to define the performance output v 
(which can be an arbitrary function of the state of P and its inputs) to suit our purposes. We are likewise 
free to pick functions p, p,, and non-negative functions pA > fJ-A to suit our purposes. The proposed notion of 
approximation thus provides some margin of flexibility, and the details of the problem (both the dynamics and 
the desired performance) largely influence our choice of signals, gain conditions, and approximate models. 



3.2 Relevance to Verifably Correct Control Synthesis 

We begin by establishing several facts that will help demonstrate the relevance of the proposed notion of 
approximation to the problem of certifled-by-design controller synthesis. 

Lemma 1. Consider a plant P and a p/p approximation {Mi} as in Definition\d[ The (non-empty) sets 
P|u.y, (u,y) G X , partition P into equivalence classes. For every index i, the (non-empty) sets 
Pi\u.y, (u, y) G X y'^+ , partition Pi into equivalence classes. 

Proof. It immediately follows from the definition that P|ui,yi nP|u2,y2 = ^ whenever (ui,yi) 7^ (u2,y2)- 
It also follows from the definition that every ((u, r), (y, v)) in P belongs to some Pju.y, hence ^'|u,y = P- 

The proof for each P,; is similar and is thus omitted for brevity. □ 

Lemma 2. Consider a plant P and a p/p approximation {Mi} as in Definition\^ For every index i, 
(u,y) e U^^ X y^+, we have ^^(^PUy) - P,|u,y. 

Proof. By condition (a) of Definition HI for each i there exists a ipi : P ^ Pi with ipi(^P\u.y^ ^ A|u.y for all 
(u, y) £ X y^+ . What remains is to show equality. Fix index i. For a given choice of (u, y) G x y^+ : 
If ^i|u,y — 0, we have ipi(^P\u,y^ ^ A|u,y = 0, and equality holds. Otherwise, assume there exists an 

X G Pi|u,y such that x ^ ijji(^P\u,yj ■ Since ipi is surjective, x G V'i (^^|ui,yi^ for some (ui,yi) ^ (u,y). We 

then have x G Pi |u,y H Pi |ui,yi, leading to a contradiction by Lemma [T] Thus, such an x cannot exist, and 
equality holds. Finally, note that the proof is independent of the choice of index i. □ 

Corollary 1. Consider a plant P and a p/p approximation {Mi} as in Definitions^ For every index i, 
(u,y) G X y^+, we have P^y = z^P,;|u,y - 0- 

Proof. For any index i, we have Pi|u.y = <5=> ipi(^P\-a,yj = P|u.y = where the first equivalence follows 
from Lemma [21 □ 

As a consequence of these simple facts, if we were to partition each of P and Pi into equivalence classes 
of feasible signals having identical first and third components (corresponding to control inputs and sensor 
outputs), the existence of a surjective map ipi satisfying condition (a) of Definition [6] effectively establishes a 
l-I correspondence between the equivalence classes of P and Pi. Moreover, it follows from condition (b) of 
Definition [S] that if all signals in a given equivalence class of Pi satisfy a. p/p gain stability condition, then so 
do all the signals of the corresponding equivalence class of P. This is formalized and proved in the following 
statements. 

Corollary 2. Consider a plant P and a p/p approximation {Ali} as in Definition\^ For every index i, 
there exists a bisection between the equivalence classes {Plu,y} of P and {Pi lu,y} of Pi. 
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Proof. For every index i, consider the map Vf^ : {P\u,y} {A|u,y} defined by ^'i(P|u,y) = '^i{P\\i,y)- Note 
that the choice of codomain for 5'^ is vaUd by Lemma [2l is injective: 

^i(^|ui,yi) = ^i(-P|u2,y2) ^ ^i|ui,yi = Pi|u2,y2 

=^ (ui,yi) = (U2,y2) 

^ -P|ui,yi = P|u2,y2 

with the first impfication following from Lemma [5] and the second implication following from Corollary [T] 
Indeed, we can exclude the possibility that Pi|ui,yi = ^'i|u2,y2 = in the second implication as that would 
imply (by Corollary [T|) that P|ui,yi = -F'|u2.y2 — ^ which is false by assumption. is surjective: For 
every fi|u,y 7^ 0, there exists P|u,y 7^ (by Corollary [T|) such that 5'i(P|u,y) = Pi\u,y Therefore, is 
bijective. □ 

Lemma 3. Consider a plant P and a pj^i approximation {Mi} as in Defi,nition\^ For any choice oj index 
i and o/(u, y) G x , if every ((u, f), (y,v)) g ^^|u,y satisfies 

T 

mf^^p(f(t))-/i(t,(i))>-cx) (4) 

^ t=o 

then every ((u, r), (y, v)) G -P|u,y satisfies (0). 

Proof. Fix i and consider any (u,y) G U'^+ x . If -Pj|u,y = 0, then P|u,y = by Corollary [T] and the 
statement holds vacuously. Now suppose that -Pi|u,y ^ and every ((u,f), (y, v)) G -Pi|u,y satisfies j!]). Pick 
any ((u, r), (y,v)) G P\u.y and consider its image Vi^((u, r), (y,v))^ = ((u, f), (y,v)). By condition (b) of 
Definition [51 we have 



p{r{t)) - p{v{t)) > p{f{t)) - Km), ^ ^p(r(<)) - p(v{t)) > ^pim) - Km), VT 

t=o t=o 

T T 

^ E/'(^(*)) - ^ '^^Jlp^m) - Km), VT 

T T 

^ '^^Jlp^m) - Km) > mf ^p(f(i)) - f,{v{t)) 



t=0 ~ t=0 

Thus if every element of Alu.y satisfies ([4]), then every element of P|u,y satisfies ([2]). □ 

We are now ready to turn our attention to the problem of control synthesis. 

Theorem 1. Consider a plant P and a p/ p, approximation {Mi} as in Definition\^ Let K C 3^^+ x 14^+ he 
such that the feedback interconnection {Pi , K) C T^f x vf^ satisfies ^ for some index i . Then the feedback 
interconnection {P, K) C 7^^+ x satisfies (0)- 

Proof. Let 

P\k = {((u,r),(y,v)) GP|(y,u) Gif}, 
P,\k = {((u,f),(y,v)) Gp|(y,u)Gi^}. 

Note that the closed loop systems (P, K) and {Pi,K) are simply the projections of P\k and Pilx, respectively, 
along the second and fourth components: 

iP,K) = {(r,v) G7e^+ X V^+|((u,r),(y,v)) gP|k for some (u,y) gW^+ x3^^+}. 
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(P„ if ) = { (f , v) G T^f + X Vf + 1 ( (u, f ) , (y , v)) e A I K for some (u, y) G x 3^^+ } . 

Also note that by definition, every (r. v) in {P,K) satisfies ([2]) if and only if every ((u, r), (y, v)) in P\k 
satisfies Likewise, every (f,v) in {Pi,K^ satisfies (|H) if and only if every ((u,f), (y,v)) in Pi\K satisfies 
([2]). Now suppose that for some index i, {Pi,K) satisfies (HJ. Thus for every (y, u) G K, all the elements 
of Pi\u.y satisfy (HJ, and it follows from Lemma [3] that all the elements of P|u,y satisfy ([2]). Hence every 
element of P\x also satisfies and so does {P, K). □ 

Theorem [T] implies that the original problem of designing a controller K for the plant P to meet per- 
formance objective ([2]) can be substituted by the problem of designing a controller K for some Pi to meet 
an auxiliary performance objective (|4]), since any feedback controller that allows us to meet the closed loop 
specifications of the latter problem also allows us to meet the closed loop specifications of the former problem. 
Of course, the problem of finding a controller K such that the feedback interconnection (P^, K) satisfies (|4]) 
is a difficult problem in general, since can be an arbitrarily complex system. However, a simpler problem 
can be posed by utilizing the available characterization of the approximation error in terms of /9a/a*a 
gain stability with gain 7^. Similar to what is done in the classical robust control setting, the idea is to 
design K such that the interconnection of Mi, K and any A in the class 

T 

A,; = {A C X W^+l mf^^7,pA(2(0) - A*A(w(i)) > -00 holds V(z, w) G A} 



t=o 



satisfies the auxiliary performance objective This synthesis problem can be elegantly formulated using 
the 'Small Gain Theorem' proposed in |17j . 




W 




Figure 2: Setup for the 'Small Gain' Theorem. 



Theorem 2 [Small Gain Theorem - Adapted from ^17 ). Consider the feedback interconnection of two 
systems S and A as in Figure \^ If S satisfies 

T 

^i{T.psiHt),w{t)) ~ fisim.m) > -00 (5) 

- t=0 

for some ps^^xW— /igiVxZ— >K (TZ, W, V and Z are finite alphabets) , and A satisfies 

T 

j.>oXl'^'^^^(^(^)) - t^Aiw{t)) > -00 (6) 

- t=0 

for some scalar 7a, Pa '■ Z fi^ : W — ?• R, then (S, A) satisfies ^ for p : TZ ^ M, ji : V ^ M. defined by 

p{f) = max{ps(f, w) - t^a(w)}, 
p{v) = min{/is(?),z) - t7a/3a(2:)} 

for any t > 0. □ 
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Interpreting Theorem [3] where "5" represents the feedback interconnection of Mi and K and where "A" 
represents the corresponding approximation error A^, we can formulate the following: 

Theorem 3. Consider a plant P and a approximation {A/,} as in Definition\^ If for some index i, there 
exists a controller K C y'^+ xlF+ such that the feedback interconnection {M.,,K) C {TZi x W)^+ x (V^ x 
satisfies 

T 

mf -/'(^W) ~^'^»'°^(^(*)) > -oo (7) 

for some r > 0, then the feedback interconnection {Pi,K) C T^f^ x satisfies 

Proof Letting S = {Mi,K), A = A^, ps{f,w) = p{f) +tpa{w), ps{v,z) = ^(u) +t7jPa(z), and 7a = 7i, 
we have by Theorem [5] that the interconnection of Mi and A^ satisfies Equivalently, the feedback 
interconnection of {Pi , K) satisfies @ . □ 

The problem of designing a controller K for a DFM Mi so that the closed loop system satisfies a gain 
condition (such as (jT))) can be systematically addressed by solving a corresponding discrete minimax problem. 
Interested readers are referred to [TF for the details of the approach. 

Intuitively, the availability of such finite approximations allows one to successively replace the original 
synthesis problem by two problems: The first (Theorem [1]) allows one to approximate the performance 
objectives when the exogenous input and performance output of the plant are not finite valued. The second 
(Theorem [3]) allows one to simplify the synthesis problem at the expense of additional conservatism by 
introducing a set based description of the approximate model. In practice, exact computation of 7^ may 
be computationally prohibitive if not impossible. Gain bounds are typically used, leading to a hierarchy of 
synthesis problems and controllers. 

Theorem 4. Consider a plant P and a p/ fx approximation {Mi} as in Definition\Si For each approximate 
model Mi and corresponding approximation error Ai with gain ji, let {7^}^! be a sequence of gain bounds 
satisfying 7I > jf'^^ > 7^. Let Kj C 3^^+ x , be such that the feedback interconnection (Mi^Kj) C 
(n, X >V)^+ X {Vi X Z)^+ satisfies 

T 

j.nf^I]p(^W) +^AiA(u'(i)) -T7fpA(z(i)) > -00 

- t=o 

for some r > 0. Then: 

(a) For every k > j, {M,Kj) C (7^i x yV)^+ x (V» x satisfies 

T 



- t=0 

(b) {Pi,Kj) C 7^f+ X Vf+ satisfies 0j. 

Proof. The proof of statement (a) follows from the fact that 7^ > 7^ for k > j. The proof of statement (b) 
follows from 7,^ > ji and Theorem [3l □ 

We conclude with a final observation: 

Theorem 5. Consider a plant P and a p/p approximation {Mi} as in Definition\^ Suppose that for some 
index i* , there exists a time T* such that 

p{{r{t)) ~ p{v{t)) = p{f{t)) - piv{t)), \ft > T* (8) 

for every ((u, r), (y, v)) £ P, ((u, f ), (y, v)) = (((u, r), (y, v))) . Then, for any K C x , the 

interconnection {Pi*,K) C TZi* x Vi* satisfies ^ iff the interconnection {P,K) C 7?.^+ x satisfies (0). 
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Proof. Necessity follows from Theorem[T] To prove sufficiency, suppose that (P, K) satisfies ^ . Equivalently 
(using the notation introduced in the proof of Theorem [1]) , every ((u, r), (y, v)) 6 P\k satisfies ([2]). Noting 
that 

P\k^ U P|u,y, 
(y,u)6A' 

we can equivalently rewrite this as -P|u.y satisfies ^ for all (y, u) £ K. Now pick any (y, u) e K: For 
any ((u, f ), (y, v)) G -Pi*|u,y, it follows from Lemma [2] that there exists a ((u, r), (y, v)) e P\u,y such that 
7/',.(((u,r),(y,v))) ((u,f), (y,v)). For T > T* , we can write 



t=0 t=0 t=T* 

T' T 

= E -"(^ w) - w) + E -"((K^)) - ^(^ w) 

t=0 t=T* 

T 

= c + Ep(WO)-m(^W) 



t=0 



where C = X^tLo '°(^(^)) ^ ^ X^tLo '°('"(*)) ~ f^i^i^))- We thus conclude that ((u, f), (y,v)) satisfies 

(|4]). The argument is completed by noting that the choice of (y, u) e K and ((u, f), (y,v)) G A|u,y were 
arbitrary. 

It follows from ^ and Lemma [21 using an argument similar to that made in Theorem [T] (omitted here 
for brevity), that {Pi*,K) satisfies (g]). □ 



Remark 2. In practice, an iterative procedure is used, whereby the first component of the approximation 
sequence is constructed and control synthesis is attempted. If synthesis is succesful, we are done; Otherwise, 
the next component of the sequence is constructed and our attempt at control synthesis is repeated. 



3.3 Illustrative Example 
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Figure 3: Water level of the tank in feedback with a DFM controller for various initial conditions. 
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Consider a tank with area A (sq.cm.) and height h (cm), a binary sensor that indicates whether the 
water level is above or below h/2, and an actuator that can pump water in or drain water out at a rate 
p (liters/minute). The dynamics of the sampled plant P, from which we receive a measurement y (z y = 
{'Empty', 'Full'} at the beginning of every sampling instant and choose and hold a control input u £ U = 
{'Pump', 'Drain'} until the next sampling instant, is given by 




min{h, x{t) + 
maa;{0, x{t) — 



60A J 



when u{t) - 
when u{t) 



'Pump' 
'Drain' 



where T is the sampling interval (seconds). Our objective is to drive and hold the water level within some 
desired bounds, in the absence of exogenous input r. The performance output v is chosen to take the value 
when the water level falls within the desired bounds and 1 otherwise. The performance objective can thus 
be written as a gain condition ([2]), with p{r) — and /i(u) = v. Letting A — 100, h = 30, p = 1, T = 7.5, 
and choosing a desired water level between 22.5 and 25cm, the components of the approximation are 
constructed as follows: For i — 1, the tank is first partitioned into 6 equal intervals of length ft./6, while for 
each subsequent i the number of elements in the partition are doubled (i.e. z = 2 -s-)- 12 elements, i = 3 o 24 
elements,...). The states of Mi are the elements of the partition as well as unions of arbitrary numbers 
of neighboring elements. Mi is initialized to the state encompassing the whole tank (reflecting our lack of 
knowledge of the plant's initial state). The transitions of Mi are deterministic by construction, while its 
output iji is not: Outputs associated with states corresponding to intervals crossing h/2 are interpreted as 
false predictions when computing the gain of the error system A.;. Error system A.; has input z = u and 
output w G {0, 1}, with w ~ Q {w — 1) indicating a sensor output match (mismatch) between P and Mi. A^ 
is described by gain condition where pa{z) ~ Pa{u) = 1 and pa{w) = w. Note that the construction 
is similar to that proposed in [18,, but with a different gain condition describing the performance objectives 
as reachability specifications are considered here rather than exponential stability with guaranteed rate of 
convergence. The performance output iii is set to for states lying entirely within the desired bounds, and 
set to 1 otherwise. 

Implementing this algorithm: For i — 1 and i = 2, the gain bound of A is 1, and design is not successful. 
For i = 3, the gain bound is 0: The approximate model thus succeeds in perfectly predicting the sensor 
output of the plant after some transient. Moreover, control design is successful: Representative paths of the 
water level in the closed loop system, consisting of the plant in feedback with the controller (a DFM with 
190 states) are plotted in Figure |3] for various plant initial conditions. Of course, as design is successful, it 
is unecessary to construct the remaining components of the p/ p approximation sequence for i> A. 

4 Discussion 

4.1 Connections to LTI Model Reduction 
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Figure 4: Definition |6] interpreted in the LTI setting 
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In the classical setting, a stable LTI plant P of order m can be considered an approximation of a stable 
LTI plant P of order n > m if we can recover P by perturbing P using a small stable perturbation. The 
proposed notion has a similar flavor, with the caveat that we cannot generally hope to exactly recover the 
performance objective due to the finiteness of the input and output alphabets of a DFM. Alternatively, note 
that the notion of approximation proposed in Definition [5] has an interpretation in the classical setting (i.e. 
if we drop the requirements that Mi is a DFM and that U, y are finite). Indeed, assume that P is a stable 
LTI system of order n and each Mi is a stable LTI system of order nii < n. In this case, TZi = TZ ~U = Z, 
Vi = V — y = W, Ai is a stable LTI system given by = P — Mi and is an additive perturbation of Mi as 
shown in Figured Thus Pi — P and rpi is simply the identity map. Intuitively, ip captures the necessity, in 
general, to approximate the performance objective in addition to the plant for the class of problems considered 
in this paper, unless the original plant P is itself a DFM. Moreover, additional input and output channels 
are needed here (for w and z) as signals cannot simply be added as in the LTI setting. 

4.2 Salient Features of the Proposed Notion of Approximation 

The proposed notion has three distinguishing features with important implications in control synthesis. 
First, the design objectives are gain conditions (Definition [5]) , and are part of the given of the problem. 
Accordingly, both the plant and the performance specifications are approximated. Second, the approximation 
error is characterized by the error system A, quantified in terms of a gain. Third, the relation between the 
original plant and its approximations is defined in terms of the input/output behaviors of two systems: P, 
and the feedback interconnection of Mi with the corresponding A^. Specifically, (M^, A^) exactly matches 
the control input/sensor output signal pairs of P while satisfying additional constraints on the exogenous 
input/performance output signal pairs. Consequently, correct-by-design control synthesis reduces in this 
framework to the problem of synthesizing a controller for the DFM model so that the closed loop system 
satisfies suitable gain conditions, a problem that can be posed and solved as a dynamic game [18) . Moreover, 
this immediately yields a corresponding finite state controller for the original plant. 

4.3 Connections to Existing Notions for Hybrid Systems 

We begin by emphasizing that all three notions of approximation enable certified-by-design controller syn- 
thesis. In other words, if a "sufficiently close" model is constructed and synthesis is successful, the resulting 
controller guarantees that the actual closed loop system satisfies the desired specifications, thus bypassing 
the need for expensive testing and verification. 

Qualitative models 0H9^ are similar to our proposed notion in that they characterize valid approxima- 
tions in terms of input/output behaviors, and they typically address (discrete) output feedback problems. 
However, they fundamentally differ in several respects: First, in the class of nominal models considered 
(non- deterministic finite automata). Second, the lack of a quantitive measure of the quality of approxima- 
tion, as approximation is simply captured by a set inclusion condition requiring the input/output behavior of 
the plant to be a subset of that of its approximation. Third, the class of controllers (supervisory controllers) 
and the control synthesis procedure (Ramadge/Wonham framework [lOilllj ). which generally requires solv- 
ing a dynamic programming problem for a product automaton derived from the approximate model and the 
performance specifications. 

Approximate simulation/bisimulation abstractions [^ [T^HHl share one similarity with the proposed no- 
tion, namely that they quantify the quality of approximation through a suitably defined metric 5 . However, 
they differ from the proposed notion in two important respects: First, they are fundamentally state-space 
notions that seek to relate the state trajectories of the approximate model and the original plant, rather 
than their input/output behavior. Intuitively, an (approximate) simulation abstraction can (approximately) 
generate every possible output signal of the plant for some choice of input generally different from the 
corresponding input of the original system, a detail of little consequence to verification problems but with 
ramifications on the problem of control synthesis. Indeed, control design here is a two step procedure con- 
sisting of supervisory control synthesis followed by controller refinement, yielding a hybrid controller for the 
original plant [W . Second, these methods typically address full state feedback problems. 
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5 Current &; Future Work 



Current research efforts are focused on developing general algorithms for constructing approximations. 
Preliminary efforts based on input/output partitions were reported in |15j . Future work will be in two 
additional directions: First, exploring the use of gain conditions to encode wider classes of performance 
objectives. Specifically, we are interested in understanding to what extent temporal logic specifications, 
demonstrated to some extent in the context of the two existing notions, can be handled by the proposed 
framework. Second, quantifying the complexity of finite memory approximations needed for a given synthesis 
task. At the core of the difficulty is the state observation problem and the limitations imposed by the 
discrete output feedback. Developments in these two directions will be instrumental in assessing the merits 
and drawbacks of the proposed notion relative to the existing ones. 
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